projects / nodejs.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 08d3476) | patch
crypto: use timing-safe comparison in Web Cryptography HMAC
authorFilip Skokan <panva.ip@gmail.com>
Fri, 20 Feb 2026 11:32:14 +0000 (12:32 +0100)
committerBastien Roucariès <rouca@debian.org>
Mon, 6 Apr 2026 14:18:52 +0000 (16:18 +0200)
commit54aa4b1c3fb9e3b7e596294b644eb7c49fcc1d78
tree7c3d70f91bc3ab69bff43bf1d5df895722402866tree | snapshot
parent08d3476090a2af01efc9cfbcdefe051aa51f92aacommit | diff
crypto: use timing-safe comparison in Web Cryptography HMAC

Use `CRYPTO_memcmp` instead of `memcmp` in `HMAC`
Web Cryptography algorithm implementations.

Ref: https://hackerone.com/reports/3533945
PR-URL: https://github.com/nodejs-private/node-private/pull/831
Refs: https://hackerone.com/reports/3533945
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
CVE-ID: CVE-2026-21713
origin: https://github.com/nodejs/node/commit/cfb51fa9ce1da2a8c810ec35bcc7c000f8c94fafy

Gbp-Pq: Name CVE-2026-21713.patch
src/crypto/crypto_hmac.cc diff | blob | history
Unnamed repository; edit this file 'description' to name the repository.